A distributed denial-of-service (DDoS) attack is a flood of illegitimate traffic that is sent to a network resource from an IP address or a group of IP addresses, rendering the network resource unavailable. A DDoS attack is a serious security threat that can affect all types of networks, from the simplest business network to the most complex corporate network. Fortunately, NetFlow Analyzer can help you detect DDoS attacks and mitigate the harm they can cause.

Understanding DDoS attacks

DDoS attacks take advantage of the Transmission Control Protocol (TCP) three-way handshake that is carried out for every connection established using TCP. Not surprisingly, hackers have found a number of ways to defeat the three-way handshake.

diagram-v-28In a DDoS attack, the attackers disturb the sequence of the three-way handshake either by not responding to SYN-ACK from the server or by sending a SYN packet continuously from a non-existent IP (spoofed IP).

In the three-way handshake, the responding server maintains a queue for sending the SYN-ACKs. During the attack, the client doesn’t respond to the SYN-ACK sent from the server so that the server is made unavailable. The server maintains a queue of SYN-ACK for all the SYN packets received from the spoofed IP address. The queue overflows and the server become unavailable.

diagram-v-29There are various types of denial-of-service attacks, such as Network Time Protocol (NTP) DDoS attacks, ICMP floods, teardrop attacks, peer-to-peer attacks, slow read attacks, and reflected or spoofed attacks.

Last month, an attack on an unsecured NTP server was reported to be the largest DDoS attack ever, with an attack size of approximately 400Gbps.  The attackers used a technique called NTP reflection. They spoofed the source IP address of the sender, who periodically sent request packets to NTP servers for time sync. As a result, a large set of responses were sent by the NTP server to the spoofed address, causing temporary congestion on the network and reducing the resource availability.

Mitigating DDoS attacks with NetFlow Analyzer: One customer’s approach

James Braunegg from Micron21 is a NetFlow Analyzer customer who has done a lot of research on DDoS attacks and has written and published many blog posts on his website detailing his findings, including how to identify and mitigate a DDoS attack. James uses NetFlow Analyzer to identify and mitigate anomalies in his data center network and keep it running efficiently with high availability.

James holds a Monash University post graduate master’s degree (MBMS) and joined Micron21 in 2004 to establish the company’s technical operations. James’ background involves running a highly successful IT hardware company for the past 20 years, along with supporting corporate networks and end-user custom software solutions focusing on individual customer support. His main focus at Micron21 is the management of the data center and its supporting infrastructure.

How James identifies DDoS attacks

In one recent incident, James used NetFlow Analyzer to analyze the abnormal spikes in his data center traffic (see image below). By using NetFlow Analyzer’s alerting mechanism, he was able to identify the abnormalities and mitigate the DDoS attack easily.

ASAM 1ASAM 2Being a data center management specialist, James’ job is to ensure high availability to Micron21 clients. Using NetFlow Analyzer, he was able to identify an NTP DDoS  attack on another client. Learn how NetFlow Analyzer helped James identify this anomaly, and read his post about NTP DDoS attacks. James has also documented his experience about using NetFlow Analyzer, security analytics, and anomaly detection. You can download the case study here.

“Winding back the clock by say four or five years , I remember trying lots of software and evaluating lots of options with one goal in mind: find attack traffic and quickly identify the source and destination along with the protocol in near real time, enabling us to lower the time it took to deal with threats; relying on SNMP data for this purpose was useless,” said James. “In the end we chose ManageEngine NetFlow Analyzer, which provided a fantastic starting point for us in providing real-time visibility. While now we use NSFOCUS hardware mainly for DDoS detection and mitigation, we still to this day use ManageEngine Netflow Analyzer within our NOC.”

James closes with a recommendation and an invitation for you: “I still today highly recommend ManageEngine Netflow Analyzer. If you need any more information please contact me!”

Reference: http://www.computerworld.com/s/article/9246230/Attackers_use_NTP_reflection_in_huge_DDoS_attack